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Introduction 


As required by the Data Protection Act 2018 (the DPA), we have been 
working on updating our Data sharing code of practice (the code), which was 
last published in 2011. The draft updated code explains and advises on 
changes to data protection legislation that are relevant to data sharing. It 
addresses many aspects of the new legislation including transparency, lawful 
bases for processing, the new accountability principle and the requirement to 
record processing activities. The draft code continues to provide practical 
guidance in relation to data sharing and to promote good practice. 


We are now publishing the draft code for consultation. 


We are also taking the opportunity in this document to publish the responses 
we received to the call for views we issued last year, along with a thematic 
Summary drawn from those responses. 


Our work on the code consists of two phases. 


e Phase one focuses on the update to the code, including the call for 
views, this summary, the draft code and consultation process. 

e In phase two we will develop further useful guidance and resources on 
our website, to assist organisations which are involved in data sharing. 
Our intention is that, in addition to legislative changes, the code and 
the phase two work will also cover technological and other 
developments that have had an impact on data sharing since the 
publication of the last code in 2011. 


The DPA requires that before preparation of the code, the Information 
Commissioner must consult the Secretary of State and others. She is also 
seeking input from trade associations, data subjects and those representing 
the interests of data subjects. 
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Call for Views 


In August 2018 the Information Commissioner issued a call for views to 
inform our work in developing the code. This call for views was the first stage 
of the consultation process. 


Our survey covered some of the key issues we needed to consider in starting 
to take forward this work, and posed a number of open discursive questions. 


101 responses were received to the call for views: 
e 75 of these were completed on the web-form; 
e 16 were responses to the survey sent via email; and 
e 10 were separate email comments from respondents which did 
not answer the survey questions. 


We have only published responses received from organisations; these are 
available to read on our website. 


We said at the launch of the survey we would not publish individual 
responses. As it was not always explicit on the web-form responses whether 
Submissions were being made on behalf of an organisation or from an 
individual merely identifying an organisation they worked for, we are only 
publishing the web-form survey responses that explicitly named the 
organisation. 


No responses were received via post. 
The respondents were from across a range of public and private sectors, 


third sector and voluntary organisations, trade associations and individual 
members of the public. 
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Key themes 
Scope 


Overall, the responses overwhelmingly accorded with the ICO’s aim of 
updating the code rather than replacing it with a completely different 
document. It was clear that the code is a very well-used tool and 
respondents are awaiting the update to help them with their day-to-day 
work. 


A major theme emerging from the responses concerned the scope of the 
code itself and what should fall within its remit. Respondents were very keen 
for the code to be brought up to date with the new legislation and noted that 
it should explicitly state that the General Data Protection Regulation (GDPR) 
turns what was essentially good practice under the Data Protection Act 1998 
into a legal minimum. 


Many respondents asked for basic definitions of data protection terms such 
as ‘controller’ and ‘processor’, although there was some recognition that the 
code should not replicate huge sections of the ICO’s guidance. 


Some respondents requested increased sector-specific guidance. Examples 
included health and local government. A few wanted a very prescriptive code, 
but others noted the risk that trying to cover every possible scenario of data 
Sharing might be too ambitious. 


A number of respondents asked for a greater emphasis on law enforcement 
processing. A couple even felt it required an entirely separate code. A 
number also wanted the code to provide guidance on sharing before and 
after Brexit, with updated detail on international transfers. 


In places there was a sense that respondents were using the call for views to 
raise more general data protection issues that might not squarely fit within 
the scope of the code itself. 


There was an emerging call for a clearer definition of data sharing 
agreements to distinguish them from data processing agreements, contracts 
or Memoranda of Understanding (MOUs). 


Some respondents asked for clarification on pseudonymisation and 
anonymisation, with reference made to the issues of changing technology 
and true anonymisation. 


There was an appetite for a much more modern online document, in line with 
the formatting of other guidance from the ICO. Respondents were keen for 
hyperlinks taking them to relevant case studies, checklists, templates and 
other guidance. There was a sense that the code has an opportunity to be a 
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more interactive tool than its predecessor. Respondents wanted templates to 
be accessible and usable, rather than embedded in one large PDF document. 


ICO comment 


Our aim is to update, not replace the code. We recognise the desire from 
some respondents for very detailed sectoral advice, but take the broader 
view that the code must be more generic but helpful and influential in its 
scope. 


Guidance elsewhere on our website covers many of the issues raised by 
respondents that fall outside the scope of the code. Our preference is not 
to replicate other ICO guidance. 


Since the code is statutory, there are certain restrictions on its format. We 
aim to address this by providing further guidance and links in our 
resources in phase two of the work on the code. 


Balance 


An overarching theme of the responses was whether the existing code strikes 
the right balance between recognising the benefits of sharing personal data 
and protecting personal data. 


Question 4 of the Snap Survey specifically posed this question and 84 
respondents answered it. There was a close result with 39 stating that the 
code strikes the right balance (46% of those responding to the question) and 
45 stating that it fails to do so (54%). Alongside the poll, a number of 
respondents raised this issue in their comments. 


We received one negative comment about the ICO’s role in guidance on data 
sharing, stating it was not for the ICO to discuss the positives or negatives of 
data sharing, but simply to enforce the law. 


Respondents were concerned about the negative consequences of deciding 
not to share personal data where a lawful basis and good reason allowed 
them to do. Respondents noted serious scenarios in a health context where 
deciding not to share personal data could result in risk to life. 
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ICO comment 


We want to provide a code that helps organisations to make an informed 
decision to share personal data when it is lawful and appropriate to do so. 


We recognise that not every situation is clear-cut. We aim to help 
organisations to get this balance right by focusing on accountability within 
the code and providing an easy to follow overview of weighing up the 
balance of the benefits of data sharing and safeguarding rights and 
freedoms. 


Confidence 


Building on the theme of balance, there was broader commentary on a 
culture of risk aversion and a fear of GDPR deterring data sharing. 
Respondents commented that an increased awareness of GDPR, and some 
scaremongering, has had a knock on effect, consciously or unconsciously 
deterring data sharing even when the justifications for doing so are sound. 
They warned of a culture of organisations being scared to share data, and 
Suggested that the code should be a way of providing confidence to 
practitioners. 


References were made to the 2013 NHS Information Governance ‘Caldicott 2’ 
National Data Guardian review on data sharing and her comments that a 
culture of anxiety permeates the health and social care sector. 


There were a couple of other main themes around readers’ confidence in 
using the code. 

First, many respondents commented on the readability of the code, 
emphasising the importance of practitioners being able to understand it and 
make appropriate decisions based on that understanding. There were 
comments praising the readability of the 2011 code, but some felt a plainer 
English approach could be adopted and there could be more pull-out boxes 
and examples of good practice, to break up large chunks of text. Suggestions 
included one-page summaries, templates, more case studies and links to 
other ICO guidance. 

Second, the other main area around uncertainty was about relevant lawful 
bases for data sharing. This came across as a significant area where 
practitioners wanted to have greater confidence. 


Respondents either wanted clear definitions and examples of lawful bases for 
processing, or guidance on associated documentary requirements. A few 
respondents indicated that they believe organisations are sometimes using 
the wrong lawful basis. In particular, some highlighted that there should not 
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be undue reliance on consent when there is a more appropriate lawful basis 
for data sharing. Some spoke of experiences where data sharing had stopped 
because of a lack of confidence in using alternative lawful bases to consent. 
Public sector respondents particularly wanted more clarity on when they can 
use legitimate interests. Respondents were keen for more detailed examples 
of the three-part legitimate interest test. 


ICO Comment 


We want to increase trust and confidence in data sharing and dispel myths 
about data sharing, focusing minds on what the law actually says. We 
believe this will help organisations to avoid undue risk aversion. 


We want the code to improve the standards of interpretation of the law by 
using plain English and an easy to read format. 


We want the code to better explain different lawful bases for processing 
and to be in line with other developments in information rights. However 
the ICO website guidance should be the main resource on this topic, and 
we will encourage organisations to refer to that as well. 


Guidance 


Also emerging from the call for views were specific areas on which 
respondents wanted greater guidance. Most respondents felt that the code 
did not go into enough detail on particular types of data sharing, such as ad 
hoc / exceptional types of data sharing. Some stressed that all heads of data 
Sharing were important and there should not be a perception of a hierarchy. 
However, it came across that alongside guidance on how to approach 
everyday data sharing scenarios (ie routine / systematic), there was a call 
for more detail on how to approach the unexpected or unusual (ie ad hoc / 
exceptional). 


A few respondents referred to administrative issues, such as the challenges 
for them in terms of time and resources if every strand of systematic data 
sharing were to need a data sharing agreement. A number of respondents 
mentioned documentation requirements. 


Respondents would like some steer on situations involving joint controllers 
and those formerly known as “controllers in common”. 


A number of public sector respondents were keen for a reference to data 
sharing powers under the Digital Economy Act 2017. 
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Some respondents were keen to see more detail on the rights of data 
Subjects in data sharing scenarios. They wanted the code to give greater 
guidance on when practitioners need to inform data subjects about data 
Sharing. There were also comments about exemptions; in particular statistics 
and research. 


There was also a wish for more guidance on various data sharing situations 
involving law enforcement processing; both domestically and internationally. 


Other suggestions on improving guidance included suggesting the use of 
‘REDS’ in examples: reason for processing, expectation of the data subject, 
documentation, security. 


Additional comments stated that little is mentioned in the current code about 
the transmission of personal data, and also that the new code should say 
more on risk and on the practical responsibilities of the Data Protection 
Officer. 


ICO Comment 


Our ambition is for the code to be an excellent source of guidance, giving 
clear guidance on difference types of data sharing and data subject rights. 
However the code is not intended to replicate the ICO’s existing website 
guidance. 


We want the code to set the standard on practical guidance on data 
sharing. We will ensure it is accurate and engaging. 


The call for views highlighted a large number of particular and sectoral 
situations of concern to respondents. We will consider how we can provide 
both specific and broader generic advice that allows readers to become 
more knowledgeable in their fields, both in the code and in the planned 
phase two guidance, in ways that are complementary to existing ICO 
guidance. 


Relevance 


Most respondents agreed the code was relevant to their areas but needed 
tweaking in parts. 


A number of respondents mentioned the significance of technological 
developments relevant to their operations. 
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Relevance was a recurrent theme in suggested case studies. There was a 
sense that more varied case studies from a wider range of examples would 
be welcome. 


Respondents were keen to see both the good and the bad. This included 
Suggesting examples to show how good data sharing arrangements can help 
demonstrate compliance with the legislation and conversely examples where 
the ICO had to take enforcement action. 


Whilst there was some understanding that the code could not cover every 
data sharing scenario, there was hope from respondents that it could 
address, even if indirectly rather than explicitly, some of the current issues 
facing practitioners. 


For example, there was reference to a recent Supreme Court judgement on 
information sharing provisions within the Children and Young People 
(Scotland) Act 2014 declared incompatible with article 8 of the ECHR, and its 
ensuing impact on data sharing. The respondent felt an updated code could 
help to provide clarity as to when data sharing is possible. 


Views were mixed as to whether the current code covered everything it 
needed to in sufficient detail. Some said the code was vague, whereas others 
Said it did provide enough detail and just needed updating with the new 
legislation. 


ICO Comment 
Our ambition is for the code to be highly relevant, up to date on current 


cyber-related privacy issues and to provide a roadmap in anticipating 
future technological developments. 


Some respondents expressed willingness to participate in further 
discussion on creating appropriate case studies. This will form part of the 
consultation process which is the next stage. 


Next steps 


We have used this feedback to contribute to drafting an update on the code, 
which we are now putting out for consultation. 


We recognise that stakeholders are keen to see gaps filled but that the 
foundations do not need replacing. 
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We plan a two-phase approach. In the first phase, and following this 
feedback, we have produced a draft updated code to align with the GDPR and 
Data Protection Act 2018. We are now engaging again with stakeholders as 
we put the draft out for consultation. Once the final code has been published, 
we will develop further useful guidance and case studies. 


We understand the importance of getting the code right. Since last year 
there has been a ‘health warning’ on the current 2011 code on the ICO 
website to alert readers that the legislation has changed. We know that 
organisations in all sectors are keen to have access to an updated version. 
We are pleased to be able to report to you here on the call for views 
responses and now look forward to hearing from you in the consultation on 
the draft code. 


We remain committed to designing an effective and useful code that 
promotes good data sharing and deters the bad, in such a way that 
fundamentally protects the rights of the data subject whilst supporting the 
necessary sharing of personal data. 
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